Building End-to-End Encrypted Apps (Web & React Native)

Rate this content
Bookmark

Building end-to-end encrypted applications is exciting, but also intimidating. This talk is designed to lower the entry barrier, offering a clear roadmap for integrating end-to-end encryption in collaborative, real-time applications.

We begin by unveiling a simple design with one shared encryption key, promptly addressing its inherent challenges. Progressively, we delve into tools like Opaque, Secsync and CRDTs to tackle the challenges we identified and enhance our application with the goal of offering a seamless user experience without compromising on security.

Each segment of the talk starts with an accessible overview before diving into practical, code-based examples. This approach not only demystifies the intimidating theory and empowers attendees with the tools and knowledge to apply these principles effectively in their projects.

This talk has been presented at React Summit 2024, check out the latest edition of this React Conference.

FAQ

Building end-to-end encrypted apps comes with challenges in terms of user experience (UX) and architecture. Managing encrypted data requires different approaches, especially for collaborative and real-time applications, to ensure data integrity and conflict resolution.

Encrypted data can be shared with other users by creating invitation links that include a token for accessing the data. The key can be hidden in the URL hash, which is not sent to the server, ensuring that only the invited user can decrypt and access the shared data.

End-to-end encryption works by generating a key to encrypt data into ciphertext before sending it over a server. Only the participants with the key can decrypt the ciphertext back into readable data. This ensures that no third party can read the content.

End-to-end encrypted applications ensure that only the intended participants can read the content. This provides enhanced privacy and security, even from service administrators. It is particularly useful for sensitive data and ensures that even if a database is breached, the data remains protected.

Keys in end-to-end encrypted applications can be managed by creating a locker system. A locker encrypts multiple keys with a master key, which can then be used to access the encrypted documents. This simplifies key management by requiring users to remember only one master key.

An end-to-end encrypted app is an application where multiple clients, which can be your devices or devices from other users, collaborate and the content is only known to these participants. Every third party, including ISPs and service administrators, cannot read the content.

CRDTs, or Conflict-free Replicated Data Types, are data structures that allow you to sync data across multiple clients without conflicts. They are crucial for building real-time collaborative applications because they ensure all clients end up in the same state, regardless of the order in which updates are received.

Opaque is a password-based client-server authentication method where the server never obtains the user's password. It generates a secure export key during registration, which can be used to encrypt and manage other keys. This allows users to log in with a username and password without needing to remember a separate encryption key.

Linny is an end-to-end encrypted to-do app built with Expo, React, and React Native. It allows users to create and manage to-do lists, which can sync across devices in real-time. Users can also create invitation links to collaborate on to-do lists with others, ensuring all data remains end-to-end encrypted.

Yes, there are libraries like SecSync, Yjs, and AutoMerge that simplify building end-to-end encrypted apps. These libraries handle the complexities of encryption, data synchronization, and conflict resolution, allowing developers to focus on building their apps.

Nik Graf
Nik Graf
32 min
14 Jun, 2024

Comments

Sign in or register to post your comment.
Video Summary and Transcription
This Talk explores the concept and advantages of end-to-end encryption in software development. It discusses the challenges of data encryption and conflict resolution in collaborative apps. The integration of end-to-end encryption with conflict-free replicated data types (CRDTs) is highlighted. The talk also covers simplified document sync, real-time sync and encryption, key management, and authentication. Additionally, it mentions the importance of local-first integration, CRDT frameworks, and data search indices.

1. Introduction to End-to-End Encryption

Short description:

In this part, we will discuss the concept and advantages of end-to-end encrypted apps. The speaker shares their personal intrigue with such apps and the motivation behind building them. They introduce a hands-on example app called Linny, an open-source end-to-end encrypted to-do app. The speaker demonstrates the app's functionality and highlights the ability to collaborate securely. The talk will delve into the core topic of end-to-end encryption.

So, hello, everybody. Let's get started. Building end-to-end encrypted apps. What do I mean by that? What do I understand as an end-to-end encrypted app? Basically, an application where you can have multiple clients, can be your devices, can be devices from other users, and you can collaborate. And the content is only known to these participants. So, everyone in between, every third party, every ISP, the people who are running the service, managing the database, they cannot read the content.

And that might bring up the next question, why actually do this? Well, for me, I was really intrigued by when I first used messaging apps like Signal and so on and realized, wow, it's actually me, I can be assured that the content can only be read by me if the code is solid. And I was intrigued from two perspectives, because as a user, I can decide who can actually read my data. The admins of the service, they cannot read the data. But also, as someone running services and databases, I was really intrigued by the idea of some kind of data, like sensible data, I don't want to even have access to. And with end-to-end encryption, you basically can make that happen.

So, I went down that road a couple of years back and started building end-to-end encrypted apps. And with that, I started working on tools. And obviously, they came with a couple of challenges in terms of UX and architecture, because a lot of things are different. And today, I want to share these lessons. And to do that, I felt like I want to build something really hands-on or show something hands-on. And to procrastinate, I built this app called Linny, which is on GitHub, it's open source, and you can even try it out on linny.app. And the thing about it is, it's an end-to-end encrypted to-do app.

So let me quickly show you. It's built with Expo. So it's React and React Native. It compiles the web, compiles to iOS, and I haven't set it up yet, but can do Android as well. And let's quickly see here, we can sign up, username, password, and we can log in. We have here our to-do list, we can add items. If you look at the right side, it syncs directly to the other device, to the mobile app. And everything's end-to-end encrypted. But what's special about it, we can also create invitation links, copy the link, and go to another user. The user can accept the application, the invitation, and we share this end-to-end encrypted to-do list and can collaborate in it. And what I want to do now with this talk is basically walk you through how I got there. So let's get started with the core of it, end-to-end encryption.

2. Data Encryption and Conflict Resolution

Short description:

We ensure secure data transmission by encrypting it with a key and sending the ciphertext. Decryption is possible with the key. Handling encrypted blocks and managing conflicts in collaborative apps are challenges. One approach is to encrypt the entire content with a key and send it. However, for real-time collaboration, conflict-free replicated data types (CRDTs) are used to resolve conflicts.

What we want to do is, we want to get data from A to B, and nobody in between should read it. And that's a solved problem. You just define a key or generate a key, you encrypt the data. So here, for example, my to-do, with the key, you get a ciphertext, you send it over your server. And if you don't care about the metadata that a server knows, then you can just send the ciphertext and the ciphertext doesn't reveal anything about the data except for its length, which is metadata in that sense again.

And on the other end, if I have the key, I can simply decrypt it and have the data. And while there are a lot of details, all of these are solved, and you just have to write and pick the right algorithms and hint, hint. You can just use libraries to do that. We'll get there in a bit.

But I want to dive a bit more into what we actually encrypt. Because compared to a system where the database is the single source of truth and you have all the data in there, it's a bit more tricky when you only get ciphertext and encrypted blocks. Because if you have a to-do list, and you get an API request to add a to-do, you actually don't get that. You just get information that there's a new ciphertext as a server. So how do you manage that? And one very simple and easy way to do that is to just encrypt with a key, with a to-do list key, the entire content of the to-do list and send it across. And that works. And for some applications, that's definitely good enough. If you just need to do that, awesome.

But if you want to build something that works collaboratively and real-time, that will be not good enough. Because you quickly run into conflicts. What do you do if different devices create pretty much at the same time changes on the same object? Let me illustrate with an example. Let's say you have two timelines, two clients. One adds a to-do, you sync it over. And then basically before syncing again, each of these devices, you make a change, you encrypt it, and you want to sync it. And that becomes really tricky because how do you resolve that? These different... when you sync it. And fortunately, this is also a solved problem. You just have to use CRDDs, conflict-free replicated data types. Sounds scary. And definitely worth a talk on their own. But in a nutshell, they're just data structures that allow you to sync without ever getting a conflict.

QnA

Check out more articles and videos

We constantly think of articles and videos that might spark Git people interest / skill us up or help building a stellar career

A Guide to React Rendering Behavior
React Advanced 2022React Advanced 2022
25 min
A Guide to React Rendering Behavior
Top Content
This transcription provides a brief guide to React rendering behavior. It explains the process of rendering, comparing new and old elements, and the importance of pure rendering without side effects. It also covers topics such as batching and double rendering, optimizing rendering and using context and Redux in React. Overall, it offers valuable insights for developers looking to understand and optimize React rendering.
Building Better Websites with Remix
React Summit Remote Edition 2021React Summit Remote Edition 2021
33 min
Building Better Websites with Remix
Top Content
Remix is a web framework built on React Router that focuses on web fundamentals, accessibility, performance, and flexibility. It delivers real HTML and SEO benefits, and allows for automatic updating of meta tags and styles. It provides features like login functionality, session management, and error handling. Remix is a server-rendered framework that can enhance sites with JavaScript but doesn't require it for basic functionality. It aims to create quality HTML-driven documents and is flexible for use with different web technologies and stacks.
React Compiler - Understanding Idiomatic React (React Forget)
React Advanced 2023React Advanced 2023
33 min
React Compiler - Understanding Idiomatic React (React Forget)
Top Content
Watch video: React Compiler - Understanding Idiomatic React (React Forget)
Joe Savona
Mofei Zhang
2 authors
The Talk discusses React Forget, a compiler built at Meta that aims to optimize client-side React development. It explores the use of memoization to improve performance and the vision of Forget to automatically determine dependencies at build time. Forget is named with an F-word pun and has the potential to optimize server builds and enable dead code elimination. The team plans to make Forget open-source and is focused on ensuring its quality before release.
Using useEffect Effectively
React Advanced 2022React Advanced 2022
30 min
Using useEffect Effectively
Top Content
Today's Talk explores the use of the useEffect hook in React development, covering topics such as fetching data, handling race conditions and cleanup, and optimizing performance. It also discusses the correct use of useEffect in React 18, the distinction between Activity Effects and Action Effects, and the potential misuse of useEffect. The Talk highlights the benefits of using useQuery or SWR for data fetching, the problems with using useEffect for initializing global singletons, and the use of state machines for handling effects. The speaker also recommends exploring the beta React docs and using tools like the stately.ai editor for visualizing state machines.
Routing in React 18 and Beyond
React Summit 2022React Summit 2022
20 min
Routing in React 18 and Beyond
Top Content
Routing in React 18 brings a native app-like user experience and allows applications to transition between different environments. React Router and Next.js have different approaches to routing, with React Router using component-based routing and Next.js using file system-based routing. React server components provide the primitives to address the disadvantages of multipage applications while maintaining the same user experience. Improving navigation and routing in React involves including loading UI, pre-rendering parts of the screen, and using server components for more performant experiences. Next.js and Remix are moving towards a converging solution by combining component-based routing with file system routing.
(Easier) Interactive Data Visualization in React
React Advanced 2021React Advanced 2021
27 min
(Easier) Interactive Data Visualization in React
Top Content
This Talk is about interactive data visualization in React using the Plot library. Plot is a high-level library that simplifies the process of visualizing data by providing key concepts and defaults for layout decisions. It can be integrated with React using hooks like useRef and useEffect. Plot allows for customization and supports features like sorting and adding additional marks. The Talk also discusses accessibility concerns, SSR support, and compares Plot to other libraries like D3 and Vega-Lite.

Workshops on related topic

React Performance Debugging Masterclass
React Summit 2023React Summit 2023
170 min
React Performance Debugging Masterclass
Top Content
Featured WorkshopFree
Ivan Akulov
Ivan Akulov
Ivan’s first attempts at performance debugging were chaotic. He would see a slow interaction, try a random optimization, see that it didn't help, and keep trying other optimizations until he found the right one (or gave up).
Back then, Ivan didn’t know how to use performance devtools well. He would do a recording in Chrome DevTools or React Profiler, poke around it, try clicking random things, and then close it in frustration a few minutes later. Now, Ivan knows exactly where and what to look for. And in this workshop, Ivan will teach you that too.
Here’s how this is going to work. We’ll take a slow app → debug it (using tools like Chrome DevTools, React Profiler, and why-did-you-render) → pinpoint the bottleneck → and then repeat, several times more. We won’t talk about the solutions (in 90% of the cases, it’s just the ol’ regular useMemo() or memo()). But we’ll talk about everything that comes before – and learn how to analyze any React performance problem, step by step.
(Note: This workshop is best suited for engineers who are already familiar with how useMemo() and memo() work – but want to get better at using the performance tools around React. Also, we’ll be covering interaction performance, not load speed, so you won’t hear a word about Lighthouse 🤐)
Concurrent Rendering Adventures in React 18
React Advanced 2021React Advanced 2021
132 min
Concurrent Rendering Adventures in React 18
Top Content
Featured WorkshopFree
Maurice de Beijer
Maurice de Beijer
With the release of React 18 we finally get the long awaited concurrent rendering. But how is that going to affect your application? What are the benefits of concurrent rendering in React? What do you need to do to switch to concurrent rendering when you upgrade to React 18? And what if you don’t want or can’t use concurrent rendering yet?

There are some behavior changes you need to be aware of! In this workshop we will cover all of those subjects and more.

Join me with your laptop in this interactive workshop. You will see how easy it is to switch to concurrent rendering in your React application. You will learn all about concurrent rendering, SuspenseList, the startTransition API and more.
React Hooks Tips Only the Pros Know
React Summit Remote Edition 2021React Summit Remote Edition 2021
177 min
React Hooks Tips Only the Pros Know
Top Content
Featured Workshop
Maurice de Beijer
Maurice de Beijer
The addition of the hooks API to React was quite a major change. Before hooks most components had to be class based. Now, with hooks, these are often much simpler functional components. Hooks can be really simple to use. Almost deceptively simple. Because there are still plenty of ways you can mess up with hooks. And it often turns out there are many ways where you can improve your components a better understanding of how each React hook can be used.You will learn all about the pros and cons of the various hooks. You will learn when to use useState() versus useReducer(). We will look at using useContext() efficiently. You will see when to use useLayoutEffect() and when useEffect() is better.
React, TypeScript, and TDD
React Advanced 2021React Advanced 2021
174 min
React, TypeScript, and TDD
Top Content
Featured WorkshopFree
Paul Everitt
Paul Everitt
ReactJS is wildly popular and thus wildly supported. TypeScript is increasingly popular, and thus increasingly supported.

The two together? Not as much. Given that they both change quickly, it's hard to find accurate learning materials.

React+TypeScript, with JetBrains IDEs? That three-part combination is the topic of this series. We'll show a little about a lot. Meaning, the key steps to getting productive, in the IDE, for React projects using TypeScript. Along the way we'll show test-driven development and emphasize tips-and-tricks in the IDE.
Web3 Workshop - Building Your First Dapp
React Advanced 2021React Advanced 2021
145 min
Web3 Workshop - Building Your First Dapp
Top Content
Featured WorkshopFree
Nader Dabit
Nader Dabit
In this workshop, you'll learn how to build your first full stack dapp on the Ethereum blockchain, reading and writing data to the network, and connecting a front end application to the contract you've deployed. By the end of the workshop, you'll understand how to set up a full stack development environment, run a local node, and interact with any smart contract using React, HardHat, and Ethers.js.
Designing Effective Tests With React Testing Library
React Summit 2023React Summit 2023
151 min
Designing Effective Tests With React Testing Library
Top Content
Featured Workshop
Josh Justice
Josh Justice
React Testing Library is a great framework for React component tests because there are a lot of questions it answers for you, so you don’t need to worry about those questions. But that doesn’t mean testing is easy. There are still a lot of questions you have to figure out for yourself: How many component tests should you write vs end-to-end tests or lower-level unit tests? How can you test a certain line of code that is tricky to test? And what in the world are you supposed to do about that persistent act() warning?
In this three-hour workshop we’ll introduce React Testing Library along with a mental model for how to think about designing your component tests. This mental model will help you see how to test each bit of logic, whether or not to mock dependencies, and will help improve the design of your components. You’ll walk away with the tools, techniques, and principles you need to implement low-cost, high-value component tests.
Table of contents- The different kinds of React application tests, and where component tests fit in- A mental model for thinking about the inputs and outputs of the components you test- Options for selecting DOM elements to verify and interact with them- The value of mocks and why they shouldn’t be avoided- The challenges with asynchrony in RTL tests and how to handle them
Prerequisites- Familiarity with building applications with React- Basic experience writing automated tests with Jest or another unit testing framework- You do not need any experience with React Testing Library- Machine setup: Node LTS, Yarn